Snort mailing list archives
Same config, FreeBSD vs OpenBSD, WAY different results
From: Jim Brown <jpb () sixshooter v6 thrupoint net>
Date: Sun, 12 Oct 2003 15:25:21 -0400
Hello list, Re: Version 2.0.2 (Build 92) The two systems listed have the same config: The OpenBSD system routinely logs more than 5000 entries while the FreeBSD system logs less than 600 entries. The two systems are on the same subnet. Can anyone tell me why OpenBSD logs far more snort entries with the same config??? Thanks, jpb === Sorted config follows: include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/chat.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/experimental.rules include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/icmp.rules include $RULE_PATH/imap.rules include $RULE_PATH/info.rules include $RULE_PATH/local.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules include $RULE_PATH/policy.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/porn.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/scan.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules include classification.config include reference.config output alert_syslog: LOG_AUTH LOG_INFO preprocessor bo preprocessor frag2 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor portscan: $HOME_NET 4 65 portscan.log preprocessor rpc_decode: 111 32771 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor telnet_decode var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var DNS_SERVERS [192.xxx.yyy.a/32,192.xxx.yyy.b/32] var EXTERNAL_NET any var HOME_NET [192.xxx.yyy.a/32,192.xxx.yyy.b/32,192.xxx.yyy.c/32,192.xxx.yyy.d/32,192.xxx.yyy.e/32,192.xxx.yyy.f/32] var HTTP_PORTS 80 var HTTP_SERVERS [192.xxx.yyy.a/32,192.xxx.yyy.b/32,192.xxx.yyy.c/32] var ORACLE_PORTS yyy1 var RULE_PATH /usr/local/etc/snort/rules var SHELLCODE_PORTS !80 var SMTP_SERVERS [192.xxx.yyy.a/32,192.xxx.yyy.b/32,192.xxx.yyy.c/32] var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var TELNET_SERVERS [192.xxx.yyy.g/32] ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Same config, FreeBSD vs OpenBSD, WAY different results Jim Brown (Oct 12)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results twig les (Oct 12)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Erek Adams (Oct 12)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Jim Brown (Oct 12)
- RE: Same config, FreeBSD vs OpenBSD, WAY different results Michael Steele (Oct 12)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Stephen W. Thompson (Oct 12)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Jim Brown (Oct 12)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Jim Brown (Oct 13)
- <Possible follow-ups>
- Re: Same config, FreeBSD vs OpenBSD, WAY different results scheidell (Oct 13)
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Josh Berry (Oct 13)